The Channel logo


By | Kat Hall 16th December 2015 11:10

Cyber security buck stops with me, says Dido Harding

We wanted to tell customers sooner, but cops wouldn't let us

The chief executive of TalkTalk, Dido Harding, has told MPs that she alone is responsible for cyber security at the company, but that the operator does not yet know if the major hack it experienced in October was avoidable.

The hack led to the personal details of more than 156,000 people being accessed by hackers and the company estimating £35m in losses related to the incident.

Speaking to the Culture, Media and Sport Committee yesterday Harding said: "Cyber security is a board level issue, and I am responsible for it."

She said there was no specific line manager for cyber security as the responsibility cuts across multiple roles in the company.

Asked if that meant sanctions ought to be imposed at board level, she replied that would depend if the loss of data was avoidable or not. "At this stage we just don't know."

However, Harding failed to mention that just before the hack the company had been advertising for an information security officer.

"Clearly there is a lot more we can and will do going forward. But we are far from alone in having cyber attacks," she told MPs.

She said the company had wanted to inform customers of the breach sooner, but had been advised by police not to do so. "One of the most difficult periods was the first 36 hours of the attack," she said. The company had received a ransom demand and had informed the police. "The next day it was very clear there was a real risk material number of customers data stolen."

She said: "I was clear by lunchtime [the next day] that the sensible thing to do to warn customers, that would make them safer. For understandable reasons, advice received from the police was not to warn our customers."

She said that it had been a reasonable position for cops to take as the police's priority was to catch the criminals.

She said that the incident had been the first specific breach of TalkTalk's systems. Previous incidents where customers details had been compromised were due to third-party attacks, she told MPs.

Harding also addressed the subject of customer card encryption, which she had previously claimed the company was under no legal obligation to use. She said: "There’s a temptation for people to think that encryption is a kind of silver bullet, that if you encrypt everything it will be OK. For some sorts of data [it's] not a high enough format.

"One of the reasons that none of customers' credit card details were sold in a usable form was because they were not encrypted, they were tokenised. Which means you block out completely the six digits in the middle of the credit card."

Earlier in the hearing, Harding had claimed: "What the criminals effectively did was successfully find a needle in a haystack of haystacks."®

comment icon Read 32 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe